<!DOCTYPE html>
<html>
<head><meta name="generator" content="Hexo 3.8.0">
    

    

    



    <meta charset="utf-8">
    
    
    
    
    <title>CORS协议安全研究 | Panda Blogs</title>
    <meta name="viewport" content="width=device-width, initial-scale=1, maximum-scale=1">
    
    <meta name="theme-color" content="#3F51B5">
    
    
    <meta name="keywords" content="protocol,front-side-security">
    <meta name="description" content="CORS Cross-origin resource sharing向跨源服务器发送XMLHttpRequest实现跨站资源请求 SOP 同源策略 same origin policy同源策略SOP下，限制不同源之间的资源交换。浏览器访问a.com网页网页上有脚本访问b.com 则禁止若不遵循同源策略则会发生CSRF(cross site request forgery)或者HFPA(HTML f">
<meta name="keywords" content="protocol,front-side-security">
<meta property="og:type" content="article">
<meta property="og:title" content="CORS协议安全研究">
<meta property="og:url" content="http://leepanda.gitee.io/2018/11/29/CORS跨源资源共享协议/index.html">
<meta property="og:site_name" content="Panda Blogs">
<meta property="og:description" content="CORS Cross-origin resource sharing向跨源服务器发送XMLHttpRequest实现跨站资源请求 SOP 同源策略 same origin policy同源策略SOP下，限制不同源之间的资源交换。浏览器访问a.com网页网页上有脚本访问b.com 则禁止若不遵循同源策略则会发生CSRF(cross site request forgery)或者HFPA(HTML f">
<meta property="og:locale" content="default">
<meta property="og:image" content="http://leepanda.gitee.io/img/20181129202348.jpg">
<meta property="og:image" content="http://leepanda.gitee.io/img/20181129212308.jpg">
<meta property="og:image" content="http://leepanda.gitee.io/img/20181129222723.jpg">
<meta property="og:image" content="http://leepanda.gitee.io/img/20181129223358.jpg">
<meta property="og:updated_time" content="2018-11-30T04:29:54.034Z">
<meta name="twitter:card" content="summary">
<meta name="twitter:title" content="CORS协议安全研究">
<meta name="twitter:description" content="CORS Cross-origin resource sharing向跨源服务器发送XMLHttpRequest实现跨站资源请求 SOP 同源策略 same origin policy同源策略SOP下，限制不同源之间的资源交换。浏览器访问a.com网页网页上有脚本访问b.com 则禁止若不遵循同源策略则会发生CSRF(cross site request forgery)或者HFPA(HTML f">
<meta name="twitter:image" content="http://leepanda.gitee.io/img/20181129202348.jpg">
    
    <link rel="shortcut icon" href="/favicon.ico">
    <link rel="stylesheet" href="//unpkg.com/hexo-theme-material-indigo@latest/css/style.css">
    <script>window.lazyScripts=[]</script>

    <!-- custom head -->
    

</head>

<body>
    <div id="loading" class="active"></div>

    <aside id="menu" class="hide">
  <div class="inner flex-row-vertical">
    <a href="javascript:;" class="header-icon waves-effect waves-circle waves-light" id="menu-off">
        <i class="icon icon-lg icon-close"></i>
    </a>
    <div class="brand-wrap" style="background-image:url(/img/brand.jpg)">
      <div class="brand">
        <a href="/" class="avatar waves-effect waves-circle waves-light">
          <img src="/img/touxiang.jpg">
        </a>
        <hgroup class="introduce">
          <h5 class="nickname">达闻西</h5>
          <a href="mailto:836475291@qq.com" title="836475291@qq.com" class="mail">836475291@qq.com</a>
        </hgroup>
      </div>
    </div>
    <div class="scroll-wrap flex-col">
      <ul class="nav">
        
            <li class="waves-block waves-effect">
              <a href="/">
                <i class="icon icon-lg icon-home"></i>
                主页
              </a>
            </li>
        
            <li class="waves-block waves-effect">
              <a href="/archives">
                <i class="icon icon-lg icon-archives"></i>
                Archives
              </a>
            </li>
        
            <li class="waves-block waves-effect">
              <a href="/tags">
                <i class="icon icon-lg icon-tags"></i>
                Tags
              </a>
            </li>
        
            <li class="waves-block waves-effect">
              <a href="/categories">
                <i class="icon icon-lg icon-th-list"></i>
                Categories
              </a>
            </li>
        
            <li class="waves-block waves-effect">
              <a href="https://github.com/pandatea" target="_blank">
                <i class="icon icon-lg icon-github"></i>
                Github
              </a>
            </li>
        
            <li class="waves-block waves-effect">
              <a href="https://weibo.com/u/2290808041/" target="_blank">
                <i class="icon icon-lg icon-weibo"></i>
                Weibo
              </a>
            </li>
        
            <li class="waves-block waves-effect">
              <a href="/custom">
                <i class="icon icon-lg icon-link"></i>
                测试
              </a>
            </li>
        
      </ul>
    </div>
  </div>
</aside>

    <main id="main">
        <header class="top-header" id="header">
    <div class="flex-row">
        <a href="javascript:;" class="header-icon waves-effect waves-circle waves-light on" id="menu-toggle">
          <i class="icon icon-lg icon-navicon"></i>
        </a>
        <div class="flex-col header-title ellipsis">CORS协议安全研究</div>
        
        <div class="search-wrap" id="search-wrap">
            <a href="javascript:;" class="header-icon waves-effect waves-circle waves-light" id="back">
                <i class="icon icon-lg icon-chevron-left"></i>
            </a>
            <input type="text" id="key" class="search-input" autocomplete="off" placeholder="Search">
            <a href="javascript:;" class="header-icon waves-effect waves-circle waves-light" id="search">
                <i class="icon icon-lg icon-search"></i>
            </a>
        </div>
        
        
        <a href="javascript:;" class="header-icon waves-effect waves-circle waves-light" id="menuShare">
            <i class="icon icon-lg icon-share-alt"></i>
        </a>
        
    </div>
</header>
<header class="content-header post-header">

    <div class="container fade-scale">
        <h1 class="title">CORS协议安全研究</h1>
        <h5 class="subtitle">
            
                <time datetime="2018-11-29T12:08:37.000Z" itemprop="datePublished" class="page-time">
  2018-11-29
</time>


            
        </h5>
    </div>

    


</header>


<div class="container body-wrap">
    
    <aside class="post-widget">
        <nav class="post-toc-wrap post-toc-shrink" id="post-toc">
            <h4>TOC</h4>
            <ol class="post-toc"><li class="post-toc-item post-toc-level-1"><a class="post-toc-link" href="#CORS-Cross-origin-resource-sharing"><span class="post-toc-number">1.</span> <span class="post-toc-text">CORS Cross-origin resource sharing</span></a><ol class="post-toc-child"><li class="post-toc-item post-toc-level-3"><a class="post-toc-link" href="#SOP-同源策略-same-origin-policy"><span class="post-toc-number">1.0.1.</span> <span class="post-toc-text">SOP 同源策略 same origin policy</span></a></li><li class="post-toc-item post-toc-level-3"><a class="post-toc-link" href="#简单请求和非简单请求"><span class="post-toc-number">1.0.2.</span> <span class="post-toc-text">简单请求和非简单请求</span></a></li><li class="post-toc-item post-toc-level-3"><a class="post-toc-link" href="#基本流程"><span class="post-toc-number">1.0.3.</span> <span class="post-toc-text">基本流程</span></a></li><li class="post-toc-item post-toc-level-3"><a class="post-toc-link" href="#非简单请求"><span class="post-toc-number">1.0.4.</span> <span class="post-toc-text">非简单请求</span></a></li><li class="post-toc-item post-toc-level-3"><a class="post-toc-link" href="#CORS-with-jsonp"><span class="post-toc-number">1.0.5.</span> <span class="post-toc-text">CORS with jsonp</span></a></li></ol></li></ol><li class="post-toc-item post-toc-level-1"><a class="post-toc-link" href="#CORS的安全研究-by-段海新、陈建军-from-清华大学"><span class="post-toc-number">2.</span> <span class="post-toc-text">CORS的安全研究(by 段海新、陈建军 from 清华大学)</span></a><ol class="post-toc-child"><li class="post-toc-item post-toc-level-3"><a class="post-toc-link" href="#CORS过于宽松的发送条件"><span class="post-toc-number">2.0.1.</span> <span class="post-toc-text">CORS过于宽松的发送条件</span></a></li><li class="post-toc-item post-toc-level-3"><a class="post-toc-link" href="#有风险的信任依赖"><span class="post-toc-number">2.0.2.</span> <span class="post-toc-text">有风险的信任依赖</span></a></li><li class="post-toc-item post-toc-level-3"><a class="post-toc-link" href="#CORS-misconfigurations-错误配置"><span class="post-toc-number">2.0.3.</span> <span class="post-toc-text">CORS misconfigurations 错误配置</span></a></li><li class="post-toc-item post-toc-level-3"><a class="post-toc-link" href="#CORS-弱表达能力-错误配置"><span class="post-toc-number">2.0.4.</span> <span class="post-toc-text">CORS 弱表达能力 错误配置</span></a></li><li class="post-toc-item post-toc-level-3"><a class="post-toc-link" href="#CORS-伪造-Origin-null"><span class="post-toc-number">2.0.5.</span> <span class="post-toc-text">CORS 伪造 Origin-null</span></a></li><li class="post-toc-item post-toc-level-3"><a class="post-toc-link" href="#CORS-安全机制"><span class="post-toc-number">2.0.6.</span> <span class="post-toc-text">CORS 安全机制</span></a></li><li class="post-toc-item post-toc-level-3"><a class="post-toc-link" href="#CORS-and-Cache"><span class="post-toc-number">2.0.7.</span> <span class="post-toc-text">CORS and Cache</span></a></li></ol></li>
        </nav>
    </aside>


<article id="post-CORS跨源资源共享协议" class="post-article article-type-post fade" itemprop="blogPost">

    <div class="post-card">
        <h1 class="post-card-title">CORS协议安全研究</h1>
        <div class="post-meta">
            <time class="post-time" title="2018-11-29 20:08:37" datetime="2018-11-29T12:08:37.000Z" itemprop="datePublished">2018-11-29</time>

            


            
<span id="busuanzi_container_page_pv" title="文章总阅读量" style="display:none">
    <i class="icon icon-eye icon-pr"></i><span id="busuanzi_value_page_pv"></span>
</span>


        </div>
        <div class="post-content" id="post-content" itemprop="postContent">
            <h1 id="CORS-Cross-origin-resource-sharing"><a href="#CORS-Cross-origin-resource-sharing" class="headerlink" title="CORS Cross-origin resource sharing"></a>CORS Cross-origin resource sharing</h1><p>向跨源服务器发送XMLHttpRequest<br>实现跨站资源请求</p>
<h3 id="SOP-同源策略-same-origin-policy"><a href="#SOP-同源策略-same-origin-policy" class="headerlink" title="SOP 同源策略 same origin policy"></a>SOP 同源策略 same origin policy</h3><p>同源策略SOP下，限制不同源之间的资源交换。<br>浏览器访问a.com网页<br>网页上有脚本访问b.com 则禁止<br>若不遵循同源策略<br>则会发生CSRF(cross site request forgery)或者HFPA(HTML form protocol attack)</p>
<h3 id="简单请求和非简单请求"><a href="#简单请求和非简单请求" class="headerlink" title="简单请求和非简单请求"></a>简单请求和非简单请求</h3><ul>
<li>请求方法是HEAD GET POST</li>
<li><code>header</code> 只限于 <code>Accept</code> <code>Accept-Language</code> <code>Content-Language</code> <code>Last-Event-ID</code> <code>Content-Type</code></li>
<li><code>Content-Type</code> 只限于 <code>application/x-www-form-urlencoded</code> <code>multipart/form-data</code> <code>text/plain</code></li>
</ul>
<p>满足以上条件的就是简单请求，不满足即为非简单请求</p>
<h3 id="基本流程"><a href="#基本流程" class="headerlink" title="基本流程"></a>基本流程</h3><p>浏览器发起跨域请求 在header中添加<code>origin</code>字段<br>例如<code>Origin: http://api.bob.com</code><br>表明了请求来自哪个源<code>协议+域名+端口</code></p>
<p>服务器判断Origin是否在允许范围内<br>False正常返回200页面，但没有任何Access-Control头<br>Ture正常返回200页面，外加<code>Access-Control-Origin</code>,<code>Access-Control-Allow-Credentials</code>,<code>Access-Control-Expose-Headers</code> 三个头字段<br>“Credentials”表示服务器是否接受跨源的Cookie<br>正常情况下，response收到的header中<br>Cache-Control、Content-Language、Content-Type、 Expires、Last-Modified、Pragma、<br>需要回显其他字段的内容，服务端要在Access-Control-Expose-Headers中指定。</p>
<h3 id="非简单请求"><a href="#非简单请求" class="headerlink" title="非简单请求"></a>非简单请求</h3><p>浏览器发送Origin询问服务器自己是否被允许访问资源，可使用的HTTP动词和头信息字段<br>询问方法时使用Access-Control-Request-Headers<br>得到肯定答复后，才会正式发出XMLHttpRequest<br>这一步称为 预检<br>预检时浏览器使用动词option<br>服务器回应Access-Control-Allow-Origin<br>Access-Control-Allow-Methods<br>Access-Control-Allow-Headers</p>
<h3 id="CORS-with-jsonp"><a href="#CORS-with-jsonp" class="headerlink" title="CORS with jsonp"></a>CORS with jsonp</h3><p>jsonp的具体实现方法:</p>
<ul>
<li>jquery的getJSON,通过回调函数的方式，将第三方服务器的返回信息储存到浏览器变量中。</li>
<li>第三方服务器收到请求后，将要返回的资源存在第三方服务器的某个js文件的或某个变量中。浏览器再次请求这个js文件，之后就可以直接访问这个资源。</li>
</ul>
<h1 id="CORS的安全研究-by-段海新、陈建军-from-清华大学"><a href="#CORS的安全研究-by-段海新、陈建军-from-清华大学" class="headerlink" title="CORS的安全研究(by 段海新、陈建军 from 清华大学)"></a>CORS的安全研究(by 段海新、陈建军 from 清华大学)</h1><figure class="image-bubble">
                <div class="img-lightbox">
                    <div class="overlay"></div>
                    <img src="/img/20181129202348.jpg" alt="不遵循SOP的下场 CSRF" title="">
                </div>
                <div class="image-caption">不遵循SOP的下场 CSRF</div>
            </figure>
<h3 id="CORS过于宽松的发送条件"><a href="#CORS过于宽松的发送条件" class="headerlink" title="CORS过于宽松的发送条件"></a>CORS过于宽松的发送条件</h3><p>表单提交增加了web前端安全隐患，CORS简单请求中对HEADER和CONTENT-TYPE字段的要求也有所放宽。这使得出现四个安全问题</p>
<ul>
<li>内部服务器远程代码执行</li>
<li>攻击之前不可利用的CSRF漏洞</li>
<li>攻击内网二进制协议服务</li>
<li>泄露任意网站的隐私信息</li>
</ul>
<h3 id="有风险的信任依赖"><a href="#有风险的信任依赖" class="headerlink" title="有风险的信任依赖"></a>有风险的信任依赖</h3><p>当一个高安全等级的网站在<br><figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">Access-Control-Allow-Origin</span><br></pre></td></tr></table></figure></p>
<p>字段中声明自己信任一个低安全等级网站<br>攻击者可以通过低安全等级网站向高安全网站发起跨源资源请求。</p>
<blockquote>
<p>HTTPS信任HTTP</p>
</blockquote>
<figure class="image-bubble">
                <div class="img-lightbox">
                    <div class="overlay"></div>
                    <img src="/img/20181129212308.jpg" alt="HTTPS信任HTTP" title="">
                </div>
                <div class="image-caption">HTTPS信任HTTP</div>
            </figure>
<blockquote>
<p>信任其他域</p>
<blockquote>
<p>1.信任子域:会增大子域名网站中xss的破坏性</p>
</blockquote>
</blockquote>
<blockquote>
<blockquote>
<p>2.信任第三方:增大攻击面</p>
</blockquote>
</blockquote>
<ul>
<li>这里清华大学陈建军先生提供了一个利用的视频</li>
<li>视频当中有一个小trick</li>
<li>当第三方服务器信任域名example.com</li>
<li>可以用example.com.hack.com等 域名进行信任绕过</li>
</ul>
<h3 id="CORS-misconfigurations-错误配置"><a href="#CORS-misconfigurations-错误配置" class="headerlink" title="CORS misconfigurations 错误配置"></a>CORS misconfigurations 错误配置</h3><p>前人的研究</p>
<ul>
<li>James Kettle, “Exploiting CORS misconfigurations for Bitcoins and bounties”, AppSecUSA 2016</li>
<li>Evan Johnson, “Misconfigured CORS and why web appsec is not getting easier”, AppSecUSA 2016</li>
</ul>
<p>配置标准</p>
<ul>
<li>W3C : <figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">- WHATWG : ```Access-Control-Allow-Origin = single origin, null or *</span><br></pre></td></tr></table></figure></li>
</ul>
<p>其中WHATWG所有浏览器通用</p>
<h3 id="CORS-弱表达能力-错误配置"><a href="#CORS-弱表达能力-错误配置" class="headerlink" title="CORS 弱表达能力 错误配置"></a>CORS 弱表达能力 错误配置</h3><ul>
<li>反射ORIGIN:给什么信什么</li>
<li>前缀匹配:信exp.com,给hackexp.com也信</li>
<li>后缀匹配:信exp.com,给exp.com.hack.com也信</li>
<li>未转义’.’:信exp.com,给expacom也信</li>
<li>子字符串匹配:信exp.com,给xp.co也信</li>
</ul>
<h3 id="CORS-伪造-Origin-null"><a href="#CORS-伪造-Origin-null" class="headerlink" title="CORS 伪造 Origin-null"></a>CORS 伪造 Origin-null</h3><blockquote>
<p>Whenever a user agent issues an HTTP request from a “privacy- sensitive” context, the user agent MUST send the value “null” in the Origin header field.<br>– RFC 6454 </p>
</blockquote>
<p>但所有浏览器可以用iframe的sandbox伪造origin-null字段</p>
<p><a href="&#39;https://www.cynet.com/wp-content/uploads/2016/12/Blog-Post-BugSec-Cynet-Facebook-Originull.pdf&#39;">巧妙利用可读取敏感信息</a></p>
<h3 id="CORS-安全机制"><a href="#CORS-安全机制" class="headerlink" title="CORS 安全机制"></a>CORS 安全机制</h3><ul>
<li>“Access-Control-Allow-Origin:*” 和 “Access-Control-Allow-Credentials:true” 不能同时使用</li>
<li>所有浏览器遵循这个规定</li>
</ul>
<p>然而还是有人在服务端开发中忽略了这个标准<br>造成了反射性信任源<br>Origin给啥就信啥</p>
<p>CORS服务端实现框架</p>
<figure class="image-bubble">
                <div class="img-lightbox">
                    <div class="overlay"></div>
                    <img src="/img/20181129222723.jpg" alt="CORS服务端实现框架" title="">
                </div>
                <div class="image-caption">CORS服务端实现框架</div>
            </figure>
<h3 id="CORS-and-Cache"><a href="#CORS-and-Cache" class="headerlink" title="CORS and Cache"></a>CORS and Cache</h3><p>为了快速认证Origin 人类文明发明了基于Cache的CORS认证机制</p>
<figure class="image-bubble">
                <div class="img-lightbox">
                    <div class="overlay"></div>
                    <img src="/img/20181129223358.jpg" alt="Cache and CORS" title="">
                </div>
                <div class="image-caption">Cache and CORS</div>
            </figure> 
<p>图片里出现的认证错误问题可以用Vary:Origin字段解决</p>

        </div>

        <blockquote class="post-copyright">
    
    <div class="content">
        
<span class="post-time">
    Last updated: <time datetime="2018-11-30T04:29:54.034Z" itemprop="dateUpdated">2018-11-30 12:29:54</time>
</span><br>


        
        这里可以写作者留言，标签和 hexo 中所有变量及辅助函数等均可调用，示例：<a href="/2018/11/29/CORS跨源资源共享协议/" target="_blank" rel="external">http://leepanda.gitee.io/2018/11/29/CORS跨源资源共享协议/</a>
        
    </div>
    
    <footer>
        <a href="http://leepanda.gitee.io">
            <img src="/img/touxiang.jpg" alt="达闻西">
            达闻西
        </a>
    </footer>
</blockquote>

        
<div class="page-reward">
    <a id="rewardBtn" href="javascript:;" class="page-reward-btn waves-effect waves-circle waves-light">赏</a>
</div>



        <div class="post-footer">
            
	<ul class="article-tag-list"><li class="article-tag-list-item"><a class="article-tag-list-link" href="/tags/front-side-security/">front-side-security</a></li><li class="article-tag-list-item"><a class="article-tag-list-link" href="/tags/protocol/">protocol</a></li></ul>


            
<div class="page-share-wrap">
    

<div class="page-share" id="pageShare">
    <ul class="reset share-icons">
      <li>
        <a class="weibo share-sns" target="_blank" href="http://service.weibo.com/share/share.php?url=http://leepanda.gitee.io/2018/11/29/CORS跨源资源共享协议/&title=《CORS协议安全研究》 — Panda Blogs&pic=http://leepanda.gitee.io/img/touxiang.jpg" data-title="微博">
          <i class="icon icon-weibo"></i>
        </a>
      </li>
      <li>
        <a class="weixin share-sns wxFab" href="javascript:;" data-title="微信">
          <i class="icon icon-weixin"></i>
        </a>
      </li>
      <li>
        <a class="qq share-sns" target="_blank" href="http://connect.qq.com/widget/shareqq/index.html?url=http://leepanda.gitee.io/2018/11/29/CORS跨源资源共享协议/&title=《CORS协议安全研究》 — Panda Blogs&source=" data-title=" QQ">
          <i class="icon icon-qq"></i>
        </a>
      </li>
      <li>
        <a class="facebook share-sns" target="_blank" href="https://www.facebook.com/sharer/sharer.php?u=http://leepanda.gitee.io/2018/11/29/CORS跨源资源共享协议/" data-title=" Facebook">
          <i class="icon icon-facebook"></i>
        </a>
      </li>
      <li>
        <a class="twitter share-sns" target="_blank" href="https://twitter.com/intent/tweet?text=《CORS协议安全研究》 — Panda Blogs&url=http://leepanda.gitee.io/2018/11/29/CORS跨源资源共享协议/&via=http://leepanda.gitee.io" data-title=" Twitter">
          <i class="icon icon-twitter"></i>
        </a>
      </li>
      <li>
        <a class="google share-sns" target="_blank" href="https://plus.google.com/share?url=http://leepanda.gitee.io/2018/11/29/CORS跨源资源共享协议/" data-title=" Google+">
          <i class="icon icon-google-plus"></i>
        </a>
      </li>
    </ul>
 </div>



    <a href="javascript:;" id="shareFab" class="page-share-fab waves-effect waves-circle">
        <i class="icon icon-share-alt icon-lg"></i>
    </a>
</div>



        </div>
    </div>

    


    

















</article>

<div id="reward" class="page-modal reward-lay">
    <a class="close" href="javascript:;"><i class="icon icon-close"></i></a>
    <h3 class="reward-title">
        <i class="icon icon-quote-left"></i>
        谢谢大爷~
        <i class="icon icon-quote-right"></i>
    </h3>
    <div class="reward-content">
        
        <div class="reward-code">
            <img id="rewardCode" src="/img/zhifu.jpg" alt="打赏二维码">
        </div>
        
    </div>
</div>



</div>

        <footer class="footer">
    <div class="top">
        
<p>
    <span id="busuanzi_container_site_uv" style="display:none">
        站点总访客数：<span id="busuanzi_value_site_uv"></span>
    </span>
    <span id="busuanzi_container_site_pv" style="display:none">
        站点总访问量：<span id="busuanzi_value_site_pv"></span>
    </span>
</p>


        <p>
            
            <span>This blog is licensed under a <a rel="license" href="https://creativecommons.org/licenses/by/4.0/">Creative Commons Attribution 4.0 International License</a>.</span>
        </p>
    </div>
    <div class="bottom">
        <p><span>达闻西 &copy; 2018</span>
            <span>
                
                Power by <a href="http://hexo.io/" target="_blank">Hexo</a> Theme <a href="https://github.com/yscoder/hexo-theme-indigo" target="_blank">indigo</a>
            </span>
        </p>
    </div>
</footer>

    </main>
    <div class="mask" id="mask"></div>
<a href="javascript:;" id="gotop" class="waves-effect waves-circle waves-light"><span class="icon icon-lg icon-chevron-up"></span></a>



<div class="global-share" id="globalShare">
    <ul class="reset share-icons">
      <li>
        <a class="weibo share-sns" target="_blank" href="http://service.weibo.com/share/share.php?url=http://leepanda.gitee.io/2018/11/29/CORS跨源资源共享协议/&title=《CORS协议安全研究》 — Panda Blogs&pic=http://leepanda.gitee.io/img/touxiang.jpg" data-title="微博">
          <i class="icon icon-weibo"></i>
        </a>
      </li>
      <li>
        <a class="weixin share-sns wxFab" href="javascript:;" data-title="微信">
          <i class="icon icon-weixin"></i>
        </a>
      </li>
      <li>
        <a class="qq share-sns" target="_blank" href="http://connect.qq.com/widget/shareqq/index.html?url=http://leepanda.gitee.io/2018/11/29/CORS跨源资源共享协议/&title=《CORS协议安全研究》 — Panda Blogs&source=" data-title=" QQ">
          <i class="icon icon-qq"></i>
        </a>
      </li>
      <li>
        <a class="facebook share-sns" target="_blank" href="https://www.facebook.com/sharer/sharer.php?u=http://leepanda.gitee.io/2018/11/29/CORS跨源资源共享协议/" data-title=" Facebook">
          <i class="icon icon-facebook"></i>
        </a>
      </li>
      <li>
        <a class="twitter share-sns" target="_blank" href="https://twitter.com/intent/tweet?text=《CORS协议安全研究》 — Panda Blogs&url=http://leepanda.gitee.io/2018/11/29/CORS跨源资源共享协议/&via=http://leepanda.gitee.io" data-title=" Twitter">
          <i class="icon icon-twitter"></i>
        </a>
      </li>
      <li>
        <a class="google share-sns" target="_blank" href="https://plus.google.com/share?url=http://leepanda.gitee.io/2018/11/29/CORS跨源资源共享协议/" data-title=" Google+">
          <i class="icon icon-google-plus"></i>
        </a>
      </li>
    </ul>
 </div>


<div class="page-modal wx-share" id="wxShare">
    <a class="close" href="javascript:;"><i class="icon icon-close"></i></a>
    <p>扫一扫，分享到微信</p>
    <img src="//api.qrserver.com/v1/create-qr-code/?data=http://leepanda.gitee.io/2018/11/29/CORS跨源资源共享协议/" alt="微信分享二维码">
</div>




    <script src="//cdn.bootcss.com/node-waves/0.7.4/waves.min.js"></script>
<script>
var BLOG = { ROOT: '/', SHARE: true, REWARD: true };


</script>

<script src="//unpkg.com/hexo-theme-material-indigo@latest/js/main.min.js"></script>


<div class="search-panel" id="search-panel">
    <ul class="search-result" id="search-result"></ul>
</div>
<template id="search-tpl">
<li class="item">
    <a href="{path}" class="waves-block waves-effect">
        <div class="title ellipsis" title="{title}">{title}</div>
        <div class="flex-row flex-middle">
            <div class="tags ellipsis">
                {tags}
            </div>
            <time class="flex-col time">{date}</time>
        </div>
    </a>
</li>
</template>

<script src="//unpkg.com/hexo-theme-material-indigo@latest/js/search.min.js" async></script>






<script async src="//dn-lbstatics.qbox.me/busuanzi/2.3/busuanzi.pure.mini.js"></script>



<script>
(function() {
    var OriginTitile = document.title, titleTime;
    document.addEventListener('visibilitychange', function() {
        if (document.hidden) {
            document.title = '死鬼去哪里了！';
            clearTimeout(titleTime);
        } else {
            document.title = '(つェ⊂)咦!又好了!';
            titleTime = setTimeout(function() {
                document.title = OriginTitile;
            },2000);
        }
    });
})();
</script>



</body>
</html>
